Re: [Detnet] DetNet Security - Items for Work Session 11Sep20
"Grossman, Ethan A." <eagros@dolby.com> Fri, 11 September 2020 18:00 UTC
Return-Path: <eagros@dolby.com>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC4703A161E for <detnet@ietfa.amsl.com>; Fri, 11 Sep 2020 11:00:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dolby.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tPsMum4VKaDc for <detnet@ietfa.amsl.com>; Fri, 11 Sep 2020 11:00:17 -0700 (PDT)
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2125.outbound.protection.outlook.com [40.107.237.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BF433A0EFC for <detnet@ietf.org>; Fri, 11 Sep 2020 10:59:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ehg9ll/XSl4Xwc06CcHJxem8sUkcSfocvGtdR1Vh70ibZ1aJhDHW/Pej8Qlmve8+1oHxIbSZd+vf/Bc8uxemkTS+KvB9Ot6QDbovOQ2e/0NtPY4vTTlX1cjq8rCueksLBo3Vlr0QpJGp6Yw9vrHsLCQZkHKOnQk434SNAPxYy9wZrQRCVZ4GYkN3ay6gzTLkJzx2CqrwaP4dOJxLvoueu4Tyx7ZkoKHMhImExLTpKGyvxkTaWKEngRNGi7vSY+fmZ+dzfYVqgxOjIzb12kiT1x1DWlhjIDMLMNSOsXtowql/g4Lxv/zkUyBapV5BsYDqcjviFysX7yw//aXQZsg2aA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bQPzWP3ON8gpp36JBf0n5jU1pLJnXCNTQeZN1qHCDjY=; b=KI9Bqt+QEvg/MIeoNoBmB5oSGsTCQea107gjWCuJixQrGD0WQnZCr/91S98Rmk4e/4p8ozvRdfzog18ssNTy/q8epfd1ntwU8L2hYlQgQJxwnSxbijdrwERSnMaBtK3F5DAcKgBhdSRyTsTBvhmI+cvnPMmvio4XbzCf7ObsnzcZWEZAkpG7UXuwbROKqA7mz2LngPsvbqgXl0ThxnJ0GpxqMjrR49EWueEsId+HBdx5cOU2JR9b7yxf8G+ppYhSaR0Kk96jgTYtK8LAORNUjOra5N4w2dJgGPKktHVNXzS6GjJoC99WFtBgJfenNQJHujPcsAiqfrjpfCMbhoWYMw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=dolby.com; dmarc=pass action=none header.from=dolby.com; dkim=pass header.d=dolby.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dolby.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bQPzWP3ON8gpp36JBf0n5jU1pLJnXCNTQeZN1qHCDjY=; b=fKmci7q/Cl9/aI8Fi8RxIds1CaJVzjML/0isSagkmv/o8li+UHT2/Fqx2j8AtVJxzgJiXPNQAzb1KFoMiA3X082j3abTa7QILT4Av926j2uYs5rNr5CwTMUruhoxnOdEwz+gW3OTUltj6bTXqI8UV1H7g9ILBc3Q+Q6L/zi0ZGs=
Received: from BY5PR06MB6611.namprd06.prod.outlook.com (2603:10b6:a03:23d::20) by BYAPR06MB4103.namprd06.prod.outlook.com (2603:10b6:a02:91::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3370.16; Fri, 11 Sep 2020 17:59:53 +0000
Received: from BY5PR06MB6611.namprd06.prod.outlook.com ([fe80::59d0:9610:aeb8:ca84]) by BY5PR06MB6611.namprd06.prod.outlook.com ([fe80::59d0:9610:aeb8:ca84%4]) with mapi id 15.20.3370.017; Fri, 11 Sep 2020 17:59:53 +0000
From: "Grossman, Ethan A." <eagros@dolby.com>
To: "detnet@ietf.org" <detnet@ietf.org>, Stewart Bryant <stewart.bryant@gmail.com>, Lou Berger <lberger@labn.net>, Janos Farkas <Janos.Farkas@ericsson.com>, "Black, David" <David.Black@dell.com>, "Dr A. Paventhan" <paventhan@eis.ernet.in>
CC: Deborah Brungard <db3546@att.com>
Thread-Topic: DetNet Security - Items for Work Session 11Sep20
Thread-Index: AdaGS3K2v07Ha/cNQMazuFKFxqfnlQCCf13Q
Date: Fri, 11 Sep 2020 17:59:53 +0000
Message-ID: <BY5PR06MB661177BFECB1483278B7D8EFC4240@BY5PR06MB6611.namprd06.prod.outlook.com>
References: <BY5PR06MB6611E7A1E182BB0427CD4003C4260@BY5PR06MB6611.namprd06.prod.outlook.com>
In-Reply-To: <BY5PR06MB6611E7A1E182BB0427CD4003C4260@BY5PR06MB6611.namprd06.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=dolby.com;
x-originating-ip: [73.70.15.21]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a3855acc-9790-4ec7-3a36-08d8567c7c87
x-ms-traffictypediagnostic: BYAPR06MB4103:
x-microsoft-antispam-prvs: <BYAPR06MB410364B266B9CAF3E7305A9CC4240@BYAPR06MB4103.namprd06.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: X8kiPj0JJQmdQm/FnAiXFg0tWjTEcghjpyehiOo9ulrBzDRPJDH3nCICB2tINhVC5vQ3pfwwVIsXK82SpS9xzsQ/cnMiInOSPCpb++uYleFponDPF8xwF4n8gM2RMFm1zuK3kzd0uinFDzvbPA+yPv+KuEuJzWEnnq3mfIY2U+YpAujH9V7czH/Mzj9EGVbUSTlyvL0oY/ProfdblD8qln6JhqDclLh79TEIAW9u9l32yyTOPMxd/LOebGgtG65QEyLAcNrGD7+OuD71Zr8PsRG2sd6HyD+toQR/tII/Dpzy29vbyA9D49LJUfB7L6EIOWtmBPzv7DjBxtioLyzw4ile/Vd5s6DYM42yIEQn5y3MOhQmuql0k0OqTOrSZgSWFZbFjmPvs85m/u2Loc0JiA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR06MB6611.namprd06.prod.outlook.com; PTR:; CAT:NONE; SFS:(39850400004)(346002)(376002)(396003)(366004)(136003)(66556008)(76116006)(66946007)(66574015)(15650500001)(110136005)(71200400001)(4326008)(66476007)(186003)(64756008)(966005)(66446008)(53546011)(478600001)(26005)(316002)(2906002)(8936002)(30864003)(86362001)(7696005)(52536014)(33656002)(5660300002)(9686003)(6506007)(83380400001)(8676002)(55016002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: BYbISzto7Behr7UuKY88X7+4fvmXeZ2Sux9YG6436xbOnMcmq9AvcAwmTekuhp7JDd4qPbCkte6UfAF0Jfv9x1w6bRC6zdT1VjGpCI/VY2CrqLiUmRrNAZokrt53Z7fOPEMsvxvidhwu44cW8MgahWruE8eQNQAhEBtUBYC2ExrBb8Y3TStnxYR2KOu5jv6ne+geGYwX0CXA0Mh4HJFSlqv35X7zXkh3lNW/94TRHQWNNj4+j0nEpzNmx0G0Kg9MvBOh6vaMMPTDbqtZgocH/aKqzlX3ZZ/6ElWhTk0kG39APaSd7849m7ZLnk0oGBGq8sXAWE8r+U/vGcx176PF+ke6apyW+lRmYLV373TrGppa+9kQSU4M4fVGKpIiaI3/e+ne/BhbCV+TsVCxfobkLJw6rSpdQ1Qup0v+kE/w07wIr+FBu6DuAenG01cmvNCeaJ/xiriYIM85fZE/mO6bpDDb3DiLtzBhhPUOCzkGiGJGLgYkh70i0jruRLk/BD/CW7L9xtSfqytEC1oul1TVq0KjFCRD2qQdFvGOmAc00MB99Y//58KBDLF2wQ4x+4eul+qDmVxSpuG9M+Yi7IZw+kOzi0e/tRewYOjk+FgBGmJwYFCJYsm0YbY0gI0E+WoOCDBQffyVCza6cPRwDIEBbg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: dolby.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR06MB6611.namprd06.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a3855acc-9790-4ec7-3a36-08d8567c7c87
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Sep 2020 17:59:53.7090 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 05408d25-cd0d-40c8-8962-5462de64a318
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: vI+5iXQZp6w1FmrTGDTDGmiGfHkI3svYUxpVvd67s+ZG21f+JlXadr/w/+XXFvbhxJbdxVIEVokv0z/piDkotA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR06MB4103
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/rsbQPJ6q8WHc5bmALIA3NMlPNpY>
Subject: Re: [Detnet] DetNet Security - Items for Work Session 11Sep20
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Sep 2020 18:00:20 -0000
Hi All, Here are the resolutions (marked with "-->" ) that David, Lou and I came to for the remaining open comments on the DetNet Security draft, for review by the WG. In the next couple of weeks I plan to incorporate all of the changes into a new revision and republish. Thanks again for your help, Ethan. -----Original Message----- From: detnet <detnet-bounces@ietf.org> On Behalf Of Grossman, Ethan A. Sent: Tuesday, September 8, 2020 7:15 PM To: detnet@ietf.org; Stewart Bryant <stewart.bryant@gmail.com>; Lou Berger <lberger@labn.net>; Janos Farkas <Janos.Farkas@ericsson.com>; Black, David <David.Black@dell.com>; Dr A. Paventhan <paventhan@eis.ernet.in> Cc: Deborah Brungard <db3546@att.com> Subject: [Detnet] DetNet Security - Items for Work Session 11Sep20 Hi All (read: anyone interested in helping resolve review comments on the DetNet Security draft), Here are the last few remaining items that are on my radar that we would like to resolve at this Friday's work session (11Sep20, 9am PDT). If you know of any other items I may have missed, please let me know. Thanks, Ethan (as Editor, DetNet Security draft) +++++++++++++++++++++ Start ++++++++++++++++++++++++++++++++ I3) I looked for, but didn't find issues of bogus or compromised central controllers. This ranges from a node falsely representing itself as a controller so that the network nodes believe it to be authorised to instruct them (and that includes both being discovered as a controller and impersonating a real controller), to software subversion of the real controller. It might even include malicious acts by a network operator. Much, but not all, of this is hard to protect against. Some of it can be mitigated by monitoring and logging. --> Any compromised node that participates in the network can cause harm to the network. Section 5.3 summary of attacks: do we have a new attack? No. No different than a non-DetNet network. But where describe threats, say that compromised router, control plane node or controller can affect that particular threat. Go through section 5 and add line as appropriate. Make sure mentions controller plane also - be clear on that. Mitigation for compromised nodes are not impacted by the introduction of deterministic networking. The same techniques used to mitigate compromised nodes are equally applicable in the DetNet case. --> Add to the last paragraph in sec 5 intro: In general, there is no difference between controller plane threats in DetNet networks vs. non-DetNet networks. --> In following section (5.2.2, 5.2.5.1 (5.2.6 already talks about it. ) add: This threat also applies to the DetNet controller plane. In addition: --> Old: 7.3. DetNet Node Authentication Description Source authentication verifies the authenticity of DetNet sources, enabling mitigation of spoofing attacks. Note that while integrity protection (Section 7.2) prevents intermediate nodes from modifying information, authentication can provide traffic origin verification, i.e. to verify that each packet in a DetNet flow is from a trusted source. Authentication may be implemented as part of ingress filtering, for example. New: 7.3. DetNet Node Authentication Description Authentication verifies the identity of DetNet nodes (including DetNet Controller Plane nodes), enabling mitigation of spoofing attacks. Note that while integrity protection (Section 7.2) prevents intermediate nodes from modifying information, authentication (such as provided by IPsec or MACsec) can provide traffic origin verification, i.e. to verify that each packet in a DetNet flow is from a trusted source. ---------------------------- S5) I didn't understand the practicality of node authenticaiton as described in 7.3. Is this intended as a check on entry into the network (only authenticated sources can introduce traffic to the network), a check at the destiantion (only authenticated sources can send to this destination), or a per-hop check (is this traffic authenticated to be in the network? Furthermore, are the checks per packet or per flow? There are obvious scaling and and key exchange issues involved. --> The new text for I3 above resolves this item also. Scaling issues are dealt with in the controller plane draft; key exchange is addressed by IPsec and MACsec. --- From Ben Kaduk: 1) "security considerations for when flow aggregation is in play, namely that misbehavior from one component flow can affect sibling flows as collateral damage." --> Flow aggregation is described in the Framework draft. --> At the high level, this is a "don't do that" scenario. Specifically do not aggregate flows when one flow could consume DetNet resources in a manner that could cause a security issue for other flows in the aggregate, e.g. starvation. Threat: Given 4 streams aggregated, you multiple resources by 4 - however if one flow uses more than its individually allocated BW, this could affect the others. Countermeasures: 2) Ingress police each flow before it is aggregated. 2) Don't aggregate flows that could do this to each other, i.e. the source of each flow must be trusted not to exceed its share of the assigned resources. 2) "the use of HMAC without a co-located discussion of the need for key distribution " Old: 7.2 Integrity Protection Description An integrity protection mechanism, such as a Hash-based Message Authentication Code (HMAC) can be used to mitigate modification attacks on IP packets. Integrity protection in the controller plane is discussed in Section 7.6. New: 7.2 Integrity Protection Description An integrity protection mechanism, such as a hash-based Message Authentication Code (MAC) can be used to mitigate modification attacks on IP packets. Such MAC usage needs to be part of a security association that is established and managed by a security association protocol such as IKEv2 for IPsec security associations. Integrity protection in the controller plane is discussed in Section 7.6. 3) "having a taxonomy of threats titled "threat model"". Additional comments from Ben that were forwarded by Deborah on 27aug20: > > I don't know of a recent document that has a dedicated/generic > > threat model written out. In my opinion the model in (Section 3 of) > > RFC 3552 still does a reasonable job of listing out the common > > threats (though the language is a bit dated, and it includes some > > topics that are not very relevant for the detnet cases). I agree > > with you that 7835 is a better fit for detnet's case than 7384 is > > (not least because, being concerned only with time protocols, 7384 > > skips one or two classes of threat that are not relevant for timekeeping). > > > > If I was writing a threat model for detnet, I'd probably keep the > > internal/external distinction but pair that with off-path/on-path, > > and then further characterize the specific capabilities (some of > > which are only possible when on-path): reading valid packets (an > > attacker that only does this is "passive on-path"; doing anything > > more makes it "active", which is not necessarily on-path), dropping > > valid packets, modifying initially-valid packets, injecting packets, > > etc. Some of these capabilities can be combined to provide other > > behaviors, which may be worth considering as first-class > > capabilities for conveince in the threat model: delaying valid > > packets can be achieved by reading, dropping, and later injecting; > > replaying valid packets can be achieved by reading and later > > injecting; reordering valid packets can be achieved by reading (and storing) and injecting, etc. RFC 7835 covers most of that but doesn't mention delay, at least. > > > > (FWIW, my present thinking is that a MITM is a special-case of an > > active on-path attacker that is doing "connection splicing" and > > impersonating both parties on the connections in question.) Also Deborah wrote: Recently, I helped with RFC7835, it was organized with internal/external and on-path/off-path. They used both together, so you may want to look how they defined. It may help also as it does data plane and control plane. --> EAG/DB notes: Section 5 says based on RFC7384 (Time protocol security). Suggestion is to use RFC7835 - section 2, and rewrite our section 5 accordingly integrating both 7384 and 7835 - not simple. 4) Re: "The primary considerations for the data plane is to maintain integrity of data and delivery of the associated DetNet service traversing the DetNet network. Application flows can be protected" - "I'd suggest leading in to this with "As for all communications protocols," to be clear that this paragraph is not trying to cover the bits that are "unique to DetNet" as much as remind the reader of general best practices." --> This text is from Framework draft -06 Sec 5 paragraph 3 (https://tools.ietf.org/pdf/draft-ietf-detnet-data-plane-framework-06.pdf) and the requested text has already been added there (in draft -06). ------------------------------------------ 5) "This might also be a good place to note that correct operation of the PREOF functions is pretty critical, and failures there could lead to pretty catastrophic situations for the operational technology relying on them. I don't think there are ways for an attacker to try to attack them directly, but Murphy's Law can be a pretty effective attacker, too." EAG: This comment is about the Security section of the Framework draft. The topic of security for PREOF is discussed in the Security draft section 3, Security Considerations for DetNet Component Design, sub-section 3.3. Redundant Path Support. An explicit statement that PREOF failures could lead to catastrophic results seems unnecessary? ---------------------------------------------------------- 6) Re: "At the management and control level DetNet flows are identified on a per-flow basis, which may provide controller plane attackers with additional information about the data flows (when compared to controller planes that do not include per-flow identification). This is an inherent property of DetNet which has security implications that should be considered when determining if DetNet is a suitable technology for any given use case." - "I might also note that attackers with access to the controller plan already have pretty significant attacks available to them." --> This comment refers to text from the Framework draft -06 Sec 5 paragraph 4. (https://tools.ietf.org/pdf/draft-ietf-detnet-data-plane-framework-06.pdf) --> EAG: I don't see a need for the requested additional text to be added to the Security draft. +++++++++++++++++ End ++++++++++++++++++++++++ _______________________________________________ detnet mailing list detnet@ietf.org https://www.ietf.org/mailman/listinfo/detnet
- [Detnet] DetNet Security - Items for Work Session… Grossman, Ethan A.
- Re: [Detnet] DetNet Security - Items for Work Ses… Grossman, Ethan A.